Hackers stole a file containing the personal information of 1.4 million AP-HP patients this summer.
These listings are generally resold on the Darkweb and are used to mount scams, such as phishing or identity theft.
The AP-HP and the Ministry of Health have lodged a complaint.
The attack took place in the middle of summer but was not confirmed until mid-September: hackers stole from the Assistance publique-Hôpitaux de Paris the personal data of 1.4 million people. patients. What they have in common: all of them had carried out a Covid-19 screening test in mid-2020 and had provided their identity, full contact details and Social Security number for "contact tracing". But why are hackers interested in this kind of data? What is it worth knowing that so-and-so was infected over a year ago? Especially since the case is far from isolated: at the end of August, a listing of 700,000 names, addresses and Social Security number was stolen from a site allowing pharmacies to transmit the results of antigenic tests.
"What makes the value of these files is the quality of the information contained: they are recent and reliable", analyzes Me Jérôme Dérgez, lawyer specializing in data protection.
And for good reason: when you give your contact details to the hospital or pharmacy, you usually provide your last address, the email you frequently consult or your mobile number.
If some hacks give rise to blackmail from the victim establishments - especially when the stolen data contains sensitive information - the majority of hackers are content to resell this information on the Darkweb.
Phishing, identity theft, insurance ...
Because the market is juicy. "The price of the listings varies depending on what it contains," assures Gérôme Billois, cybersecurity expert at Wavestone. The most expensive are obviously those which contain bank details but for identities it can go up to two or three euros per name when there is complete and precise information. It would not be surprised that a listing like that of the AP-HP is sold for nearly a million euros on the black market.
This information then helps set up scams that can pay off big.
Starting with "phishing", these fraudulent emails which pass themselves off as your bank, insurance company, tax office… in order to recover your bank details.
"When you receive a phishing attempt, you generally know that it is a false one because the scenario does not stick, that you did not request such or such platform, that it is badly done", continues Gérôme Billois.
But if the email you receive contains your Social Security number, the place where you took the test, your exact contact details… the deception is less easily detectable.
Hence the warning of great caution launched by the AP-HP to the victims of this data theft.
Another risk, even more difficult to pernicious: identity theft which allows crooks to set up credit files in your name or to apply for social benefits under a false identity.
Sometimes the victim does not realize this until she is contacted by collection agencies.
"In the case of the AP-HP, there is a rapid reaction and the people concerned have been warned but this is not always the case", specifies Me Jérôme Dérgez, who claims to have been contacted by several victims of this recent attack and think about the follow-up to be given to this affair.
At the same time, the AP-HP and the Ministry of Health lodged a complaint.
By the Web
Cyberattacks: The CNIL predicts a doubling of cases of personal data breach in 2021
"With the Covid-19 crisis, health data has burst into our lives," says Coralie Lemke